puppet 6.25.1-x86-mingw32 → 6.28.0-x86-mingw32

data/lib/puppet/type/user.rb

@@ -66,7 +66,6 @@ module Puppet
     newproperty(:ensure, :parent => Puppet::Property::Ensure) do
       newvalue(:present, :event => :user_created) do
         provider.create
-        @resource.generate
       end
 
       newvalue(:absent, :event => :user_removed) do
@@ -228,6 +227,9 @@ module Puppet
         * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
           on these systems, the `salt` and `iterations` attributes need to be specified as
           well as the password.
+        * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user 
+          resource requires the value to be hex encoded, the length of the salt's
+          string must be 64. 
         * Windows passwords can be managed only in cleartext, because there is no Windows
           API for setting the password hash.
 
@@ -695,7 +697,6 @@ module Puppet
 
     def generate
       if !self[:purge_ssh_keys].empty?
-        return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")
         else
@@ -744,6 +745,45 @@ module Puppet
         end
         raise ArgumentError, _("purge_ssh_keys must be true, false, or an array of file names, not %{value}") % { value: value.inspect }
       end
+
+      munge do |value|
+        # Resolve string, boolean and symbol forms of true and false to a
+        # single representation.
+        case value
+        when :false, false, "false"
+          []
+        when :true, true, "true"
+          home = homedir
+          home ? [ "#{home}/.ssh/authorized_keys" ] : []
+        else
+          # value can be a string or array - munge each value
+          [ value ].flatten.map do |entry|
+            authorized_keys_path(entry)
+          end.compact
+        end
+      end
+
+      private
+
+      def homedir
+        resource[:home] || Dir.home(resource[:name])
+      rescue ArgumentError
+        Puppet.debug("User '#{resource[:name]}' does not exist")
+        nil
+      end
+
+      def authorized_keys_path(entry)
+        return entry unless entry.match?(%r{^(?:~|%h)/})
+
+        # if user doesn't exist (yet), ignore nonexistent homedir
+        home = homedir
+        return nil unless home
+
+        # compiler freezes "value" so duplicate using a gsub, second mutating gsub! is then ok
+        entry = entry.gsub(%r{^~/}, "#{home}/")
+        entry.gsub!(%r{^%h/}, "#{home}/")
+        entry
+      end
     end
 
     newproperty(:loginclass, :required_features => :manages_loginclass) do
@@ -765,7 +805,7 @@ module Puppet
     # @see generate
     # @api private
     def find_unmanaged_keys
-      munged_unmanaged_keys.
+      self[:purge_ssh_keys].
         select { |f| File.readable?(f) }.
         map { |f| unknown_keys_in_file(f) }.
         flatten.each do |res|
@@ -777,41 +817,6 @@ module Puppet
         end
     end
 
-    def munged_unmanaged_keys
-      value = self[:purge_ssh_keys]
-
-      # Resolve string, boolean and symbol forms of true and false to a
-      # single representation.
-      test_sym = value.to_s.intern
-      value = test_sym if [:true, :false].include? test_sym
-
-      return [] if value == :false
-
-      home = self[:home]
-      begin
-        home ||= provider.home
-      rescue
-        Puppet.debug("User '#{self[:name]}' does not exist")
-      end
-
-      if home.to_s.empty? || !Dir.exist?(home.to_s)
-        if value == :true || [ value ].flatten.any? { |v| v.start_with?('~/', '%h/') }
-          Puppet.debug("User '#{self[:name]}' has no home directory set to purge ssh keys from.")
-          return []
-        end
-      end
-
-      return [ "#{home}/.ssh/authorized_keys" ] if value == :true
-
-      # value is an array - munge each value
-      [ value ].flatten.map do |entry|
-        # make sure frozen value is duplicated by using a gsub, second mutating gsub! is then ok
-        entry = entry.gsub(/^~\//, "#{home}/")
-        entry.gsub!(/^%h\//, "#{home}/")
-        entry
-      end
-    end
-
     # Parse an ssh authorized keys file superficially, extract the comments
     # on the keys. These are considered names of possible ssh_authorized_keys
     # resources. Keys that are managed by the present catalog are ignored.

data/lib/puppet/util/json.rb

@@ -26,6 +26,23 @@ module Puppet::Util
       require 'json'
     end
 
+    # Load the content from a file as JSON if
+    # contents are in valid format. This method does not
+    # raise error but returns `nil` when invalid file is
+    # given.
+    def self.load_file_if_valid(filename, options = {})
+      load_file(filename, options)
+    rescue Puppet::Util::Json::ParseError, ArgumentError, Errno::ENOENT => detail
+      Puppet.debug("Could not retrieve JSON content from '#{filename}': #{detail.message}")
+      nil
+    end
+
+    # Load the content from a file as JSON.
+    def self.load_file(filename, options = {})
+      json = Puppet::FileSystem.read(filename, :encoding => 'utf-8')
+      load(json, options)
+    end
+
     # These methods do similar processing to the fallback implemented by MultiJson
     # when using the built-in JSON backend, to ensure consistent behavior
     # whether or not MultiJson can be loaded.

data/lib/puppet/util/log.rb

@@ -105,9 +105,14 @@ class Puppet::Util::Log
   def Log.level=(level)
     level = level.intern unless level.is_a?(Symbol)
 
-    raise Puppet::DevError, _("Invalid loglevel %{level}") % { level: level } unless @levels.include?(level)
+    # loglevel is a 0-based index
+    loglevel = @levels.index(level)
+    raise Puppet::DevError, _("Invalid loglevel %{level}") % { level: level } unless loglevel
 
-    @loglevel = @levels.index(level)
+    return if @loglevel == loglevel
+
+    # loglevel changed
+    @loglevel = loglevel
 
     # Enable or disable Facter debugging
     Puppet.runtime[:facter].debugging(level == :debug)

data/lib/puppet/util/monkey_patches.rb

@@ -39,6 +39,12 @@ unless Puppet::Util::Platform.jruby_fips?
     end
   end
 
+  unless defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH)
+    module OpenSSL::X509
+      OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH = 0x3E
+    end
+  end
+
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
       DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
@@ -64,8 +70,6 @@ unless Puppet::Util::Platform.jruby_fips?
 end
 
 if Puppet::Util::Platform.windows?
-  require 'puppet/util/windows'
-
   class OpenSSL::X509::Store
     @puppet_certs_loaded = false
     alias __original_set_default_paths set_default_paths

data/lib/puppet/util/package.rb

@@ -1,6 +1,13 @@
+# frozen_string_literal: true
 module Puppet::Util::Package
-  def versioncmp(version_a, version_b)
+  def versioncmp(version_a, version_b, ignore_trailing_zeroes = false)
     vre = /[-.]|\d+|[^-.\d]+/
+
+    if ignore_trailing_zeroes
+      version_a = normalize(version_a)
+      version_b = normalize(version_b)
+    end
+
     ax = version_a.scan(vre)
     bx = version_b.scan(vre)
 
@@ -8,24 +15,26 @@ module Puppet::Util::Package
       a = ax.shift
       b = bx.shift
 
-      if( a == b )                 then next
-      elsif (a == '-' && b == '-') then next
-      elsif (a == '-')             then return -1
-      elsif (b == '-')             then return 1
-      elsif (a == '.' && b == '.') then next
-      elsif (a == '.' )            then return -1
-      elsif (b == '.' )            then return 1
-      elsif (a =~ /^\d+$/ && b =~ /^\d+$/) then
-        if( a =~ /^0/ or b =~ /^0/ ) then
-          return a.to_s.upcase <=> b.to_s.upcase
-        end
+      next      if a == b
+      return -1 if a == '-'
+      return 1  if b == '-'
+      return -1 if a == '.'
+      return 1  if b == '.'
+      if a =~ /^\d+$/ && b =~ /^\d+$/
+        return a.to_s.upcase <=> b.to_s.upcase if a =~ /^0/ || b =~ /^0/
         return a.to_i <=> b.to_i
-      else
-        return a.upcase <=> b.upcase
       end
+      return a.upcase <=> b.upcase
     end
-    version_a <=> version_b;
+    version_a <=> version_b
   end
-
   module_function :versioncmp
+
+  def self.normalize(version)
+    version = version.split('-')
+    version.first.sub!(/([\.0]+)$/, '')
+
+    version.join('-')
+  end
+  private_class_method :normalize
 end

data/lib/puppet/util/yaml.rb

@@ -24,7 +24,11 @@ module Puppet::Util::Yaml
   # @raise [YamlLoadException] If deserialization fails.
   # @return The parsed YAML, which can be Hash, Array or scalar types.
   def self.safe_load(yaml, allowed_classes = [], filename = nil)
-    data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
+    if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0')
+      data = YAML.safe_load(yaml, permitted_classes: allowed_classes, aliases: true, filename: filename)
+    else
+      data = YAML.safe_load(yaml, allowed_classes, [], true, filename)
+    end
     data = false if data.nil?
     data
   rescue ::Psych::DisallowedClass => detail
@@ -42,6 +46,17 @@ module Puppet::Util::Yaml
     safe_load(yaml, allowed_classes, filename)
   end
 
+  # Safely load the content from a file as YAML if
+  # contents are in valid format. This method does not
+  # raise error but returns `nil` when invalid file is
+  # given.
+  def self.safe_load_file_if_valid(filename, allowed_classes = [])
+    safe_load_file(filename, allowed_classes)
+  rescue YamlLoadError, ArgumentError, Errno::ENOENT => detail
+    Puppet.debug("Could not retrieve YAML content from '#{filename}': #{detail.message}")
+    nil
+  end
+
   # @deprecated Use {#safe_load_file} instead.
   def self.load_file(filename, default_value = false, strip_classes = false)
     Puppet.deprecation_warning(_("Puppet::Util::Yaml.load_file is deprecated. Use safe_load_file instead."))
@@ -57,7 +72,11 @@ module Puppet::Util::Yaml
       end
       data.to_ruby || default_value
     else
-      yaml = YAML.load_file(filename)
+      if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.3.2')
+        yaml = YAML.unsafe_load_file(filename)
+      else
+        yaml = YAML.load_file(filename)
+      end
       yaml || default_value
     end
   rescue *YamlLoadExceptions => detail

data/lib/puppet/util.rb

@@ -7,6 +7,7 @@ require 'uri'
 require 'pathname'
 require 'ostruct'
 require 'puppet/util/platform'
+require 'puppet/util/windows'
 require 'puppet/util/symbolic_file_mode'
 require 'puppet/file_system/uniquefile'
 require 'securerandom'
@@ -22,8 +23,6 @@ module Util
   require 'puppet/util/posix'
   extend Puppet::Util::POSIX
 
-  require 'puppet/util/windows/process' if Puppet::Util::Platform.windows?
-
   extend Puppet::Util::SymbolicFileMode
 
   def default_env

data/lib/puppet/version.rb

@@ -6,7 +6,7 @@
 # Raketasks and such to set the version based on the output of `git describe`
 
 module Puppet
-  PUPPETVERSION = '6.25.1'
+  PUPPETVERSION = '6.28.0'
 
   ##
   # version is a public API method intended to always provide a fast and

data/lib/puppet.rb

@@ -242,20 +242,7 @@ module Puppet
     {
       :environments => Puppet::Environments::Cached.new(Puppet::Environments::Combined.new(*loaders)),
       :http_pool => proc { Puppet.runtime[:http].pool },
-      :ssl_context => proc {
-        begin
-          cert = Puppet::X509::CertProvider.new
-          password = cert.load_private_key_password
-          ssl = Puppet::SSL::SSLProvider.new
-          ssl.load_context(certname: Puppet[:certname], password: password)
-        rescue => e
-          # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
-          Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
-          # TRANSLATORS: `puppet agent -t` is a command and should not be translated
-          Puppet.err(_("Run `puppet agent -t`"))
-          raise e
-        end
-      },
+      :ssl_context => proc { Puppet.runtime[:http].default_ssl_context },
       :ssl_host => proc { Puppet::SSL::Host.localhost(true) },
       :http_session => proc { Puppet.runtime[:http].create_session },
       :plugins => proc { Puppet::Plugins::Configuration.load_plugins },
@@ -364,3 +351,4 @@ require 'puppet/status'
 require 'puppet/file_bucket/file'
 require 'puppet/plugins/configuration'
 require 'puppet/pal/pal_api'
+require 'puppet/node/facts'